root can do things a user can't ... like install viruses and trojans and root kits, or formatting drives ... lots of things you normally don't want to do

i was experimenting with running X as user spot
it seemed to work ok except rxvt woudn't run

i read somewhere that the rxvt binary might need to be setuid root so it can connect to the X server ... i haven't tried it yet ... i tried things like xhost but it didn't seem to work

there are a few other problems running as spot ... spot can't change /etc/windowmanager, so windowmanager should be in $HOME ... files in my-documents belong to root, and spot can't change them or delete them ... spot would have trouble mounting and unmounting and writing to drives

One of the main reasons I like Puppy is its simplicity and ease of use. Running as root removes a pointless and annoying impediment to doing what I want with my computer.

I don't like Knoppix because it is designed to make it hard to run as root, which means it is difficult to use many of the programs in Knoppix. I guess Mr. Knopper just puts them in the OS because he likes them but he doesn't think anyone else should use them.

I live in a country where pretty much everyone who wants one owns a gun and a car, both of which kill and maim people by the thousands each day, not to mention the damage they do to the rest of creation. No one seems to care much, or even take much notice. So why is it such a big deal for me to run as root, in my own damn computer? If I screw it up, that's my fault. I wish more people would be like Barry and stop trying to protect me from my own stupid mistakes.

it's another thing to keep a fully-loaded gun, cocked, and with a hair-trigger, on your coffee table next to the tv remote

....or smoke, which kills far more people than guns and drunk drivers put together yet is perfectly legal (even encouraged, in France ) on grounds of 'personal freedom' and 'personal responsibility.' Why can't I enjoy the same personal freedom with my own computer in the privacy of my own home?

Note: The following opinion does not apply to Puppy as we already know why it does not matter in puppy to run as root.

For other distributions or OS's:

Running as root affects other people, not only you.

Of course, if it is a disconnected computer, you can only screw your own system, but it shouldn't be easy for a new user to do it.

If it is not a disconnected computer then you are risking other people on the same network if you run as root: Your mom, wife, coworkers, etc etc etc.

When you run as root:
- You can catch viruses more easily.
- Third parties can exploit vulnerabilities
- Trojan horses can open ports and start services

Even if it is only your computer connected to the internet, if you run as root you can get infected with a 'zombie' virus that can be used for DOS (Denial of service) attacks to third parties or for spaming.

Well, you get the idea: Having a compromised computer may affect other people.

A good Netizen should not leave a system running as root 'unattended'. Meaning: Only use root while you need to perform admin tasks, otherwise, use limited user.

Joined: 18 May 2005Posts: 11132Location: The Peoples Republic of California

Posted: Mon 18 Jul 2005, 03:06 Post subject:

Running as root affects other people, not only you.

Frankly, I disagree that I am affecting anyone by running as root, in the context you suggest, i.e. on other distributions.

When I used to run Windows 9x, I never got infected with a virus or a trojan. I use Windows 9x as an example because it is as if one is 'root' in terms of permissions. In most cases the infection is a user interaction. Not something that just happens. That is one reason why I never got an infection.

If I never got a trojan or virus infection with Windows, realistically speaking, what would be the odds of me getting infected with Linux?

As far the third party exploits you mention, this implies someone can gain illicit access to my computer remotely. How do you suppose they could do that?

Scanners can locate my computer by IP address and try various exploits to gain access. My log file shows these attempts happen with regularity. There are no open doors (ports) or software waiting to respond the the access attempts (except 113 and 8 that I'm aware of). Even if there were service ports or open ports, my router would not pass requests to the ports on my computer, unless I set it up to do so.

There are some potential exploits with web browsers, but most of them are ActiveX or Java script. I don't have ActiveX. Java script is enabled on a case by case basis, via an extension.

A good Netizen should not leave a system running as root 'unattended'

Actually, I am a good Netizen. My computer is also, meaning to say there are no trojans running on it.. I sleep with the computer running as root and it's connected to the Internet 24/7

Your statement about leaving the system 'unattended' causes me to think you have a belief that people can remotely access your Linux computer when you are running as root without an interaction on your part.

Many thanks for those explanations Bruce I know that when I first started with Linux getting into it was difficult enough for me let alone anyone else . . .

There is a thread somewhere on changing from root to spot (I seem to remember) or creating another usr for those so inclined.

One thing we can all do is run the morizot firewall wizard, which I believe closes any open ports until they are required (this is one of the wizards)

One of the reasons I am no longer using WIndows is the amount of time dedicated and required to maintain a system free of malware.

If anything did happen, I guess I would get rid of the pup001, turn the machine off (no log out) and reboot.

Here is our info, anyone please add to it if you have ideas or suggestions
- there are a couple of tests you can run
http://www.goosee.com/puppy/wikka/Security

- in fact our previous wiki was spammed and we went over to this new one which has been fine - one spammer. We just rolled back that page
That of course does not effect Puppys - just the page is full of dubious links for a short while

If you look in Puppy help menu under utils - you will find TinyLogin
maybe that would be useful for some people (perhaps several people using one Puppy)

Also in 1.0.4 (due this week) the pup001 can be renamed, relocated (perhaps on a removable keydrive?) for those requiring max privacy

Joined: 18 May 2005Posts: 11132Location: The Peoples Republic of California

Posted: Mon 18 Jul 2005, 06:22 Post subject:

From the wiki:

The site www.grc.com has ShieldsUp!, a product that will test the security of your computer while connected to the Internet. ShieldsUp! basically performs 3 tests: "file sharing", "common ports" and "service ports". Without the firewall running, Puppy "failed" the second two tests, as although all ports are "closed" they are not "hidden". Also, Puppy responded to ping requests. These failures are not necessarily a problem and Puppy is still secure.

I should mention that Steve Gibson wants what he describes as a 'stealth' port as his standard. Meaning that the scanner cannot even see that the port exists. A few years back some firewall vendors were happy to close a service port. But ZoneAlarm came along with some technology that 'stealthed' the port. Steve's site and the stealth idea put pressure on other firewall vendors to stealth the ports. So today Windows firewalls stealth the ports.

A totally stealthed machine means in effect that the only thing that can be known about your computer is the IP address exists. But a scanner can't find any port to talk to. Simply stated, a stealthed port doesn't talk back period.

A closed port will in effect say "closed" to the scanner, this means that there is some software routine on the port or it would not communicate 'closed'.

The scanner could try to get it to open and provide services. The chances of success is very poor IMO. But you can google to learn more about the closed port as it pertains to Linux.

This total stealth condition is usually a condition a result of having a good firewall.

A closed port is interpreted as a failure on Steve's scanner. It as I think you know is not a failure. It only means that the scanner can see that the port exists and that it is closed. With this information it can try various exploits on that port.

If you find an open port or a closed port you can Google for what that signifies on a Linux machine.

I'd like to try G2's new firewall script. I don't think I need a firewall because the router pretty well protects the computer. But I love to tinker and a firewall script would be something to tinker with.

I've read recently about malformed jpgs causing buffer overruns and allowing hacking. This is more of a discovery, than an actually happening. Software is being rewritten to handle this potential.

I think it has been handled with Firefox. I clean all the jpgs I plan to keep. Even if Gimp has a problem and I don't know that it does, it will not be fed a malformed jpg.

I like running Top in Puppy to see what processes are running and how much CPU they use, etc.

After a while you will become familiar with what software normally runs and you know which ones you are using.

With this familiarity, if something strange shows up you will be able to recognize it.

Changing the subject of things to worry about. Yesterday I was hiking and a long and very fat rattlesnake was laying in my path. I thought it would be best to not step over it. I wasn't in the mood to kill it. So, I approached it thinking it would get afraid and take off.

It wasn't the least bit afraid. It simply coiled in the strike position. I kept back of striking distance and wondered if it would come after me. But I could hardly imagine that. (I carry a hiking stick to stand between me and a potential predator.)

After about 90 seconds of facing off, he decided to uncoil himself and wander into the brush and let me by. But he did it so slowly, without the least bit of fear.

Posted: Mon 18 Jul 2005, 10:03 Post subject:
On the role of ports in networking

The whole 'port' thing is a major revelation. By that I mean that the scheme of ports, what they do and how they work, is central to networking and especially the use of the internet, yet it is barely mentioned in the literature that is meant for beginning computer users to read. I didn't know they existed for several years after I started using a computer, and, after it began to dawn on me that they play a central role in networking, I still had a hard time finding an explanation of them.

Perhaps if writers of 'how-to' articles and books for beginners would give ports their proper place and explain what they are and how they work, people would have a better idea of why certain exploits work and how to guard their system against them.

To me the easiest way to use Puppy and not have to worry about anyone getting into my box would be to remove the HD and just use the live CD.

AS my box sits on the bench beside my with the sides removed to facilate swapping the 8 or so HDs that I use removing the HD is no problem and I don't know how much harm an intruder could cause just by being in RAM.

If they could attack any part of your box apart from the HD they would be doing it already.

As I run behind a firewall and only use Puppy for the internet I don't seem to have any problems but that is not to say that nothing can happen, when and if it does I'll deal with it.

I run more risk of losing data through HDs frying on me than from outside attacks and that's why I have a file server.

In relation to ports all the info is available if you read the Linux HowTo Firewall & Proxy Server the only thing being that you will have to read up on iptables to stay up to date.

Your statement about leaving the system 'unattended' causes me to think you have a belief that people can remotely access your Linux computer when you are running as root without an interaction on your part. How so?

.

There is a difference between belief and certainty. If you are running as root you actually require extra 'interaction on your part' to avoid intrusion.

How so, you ask? I am not a security expert or hacker. - I've just read a couple of security books and attended a couple of sessions at conferences - but... If people weren't able to remotely access your computer, there wouldn't be a need for firewalls.

I am glad that you have taken all those steps to protect your computer. I also run behind a hardware firewall , so I am not too concerned about running as root. I am also carefull with what I download, open and run and I haven't been infected with a trojan in Windows.

My educated belief is that you require more knowledge and more 'interaction on your part' to run as root and still be protected. Remember that not everyone has a hardware firewall or understands how to correctly configure a software one. Many less technically savy users open ports without understanding the risk. Actually, even security experts keep learning new risks they did not know about.

Of course if you know what you are doing, running as root is OK. And it seems that you do. But don't assume that most people do.

Run each process with as little privilege as it requires.

That is a rule of thumb. If it does not apply to you, great. Just don't assume that it does not apply to anyone.

You've taken steps to protect your computer and learned how to be a good netizen. Then I don't understand how you can suggest that running unprotected is good netizenship. By definition running as root unprotects a system. (All the extra steps you have taken, either protect the network or are based on educated desicions)

It's like saying that because nobody has slipped in front of your house in winter it is not good citizenship to shovel and melt the ice.

Joined: 18 May 2005Posts: 11132Location: The Peoples Republic of California

Posted: Tue 19 Jul 2005, 03:21 Post subject:

I could talk shop and generally prefer to, but I don't want to lose sight of my point of contention.

It is not socially immoral or wrong to run your personal computer as root. I run Puppy as root with no password even. I run Vector as root with no password. I run Suse with a password because it's bossy and makes me do it.

If you wish to maintain the position about other people being affected or bad Netizenship, I think it fair to ask you to back up this moral stance with some specifics.

1) who got affected remotely because someone else was running their personal computer as root, where they would not have been affected otherwise?

An interesting note about ShieldsUp:
I originally tested it back around Puppy version 0.6, when Puppy apps were compiled on RedHat 8.0, and I think it was Mozilla 0.9.8.
When Linux Firewall was installed, ShieldsUp reported total stealth, that is, ALL ports were in stealth mode. It reported Puppy as totally hidden.
I can't achieve that anymore, and I'm not knowledgeable enough in the field to understand why.

Note, we aren't using Linux Firewall anymore, replaced by Morizot, as the former wasn't installing properly -- rather, the graphical installer is faulty, but the firewall does work if manually installed, except can no longer get the total stealth mode of all ports.

A note about running as root:
It's very contentious.
The real Puppy, the mascot for Puppy Linux, was a very tiny dog, a Chihuahua, but totally fearless. he didn't seem to know that he was vulnerable because of his small size.
Once when my sister was visiting my country property, she brought her Blue Heeler, a very solid middle-sized dog named Muti. We were out walking, and suddenly there was a substantial rustling of branches of a large bush, something was in or behind the bush. Muti took fright and ran back behind the legs of my sister, whereas Puppy got into launch position in front of the bush and barked furiously. It turned out to be my dad playing a trick on the dogs.
Puppy used to chase kangaroos and other big wild animals.
Totally fearless, but perhaps that is what did him in in the end.

Anyway, Puppy Linux is like that, reckless, unshackled, in memory of the mascot, even though we know there's some risk.

Having said that, we probably do need to generally move in the direction of being more protected.

You cannot post new topics in this forumYou cannot reply to topics in this forumYou cannot edit your posts in this forumYou cannot delete your posts in this forumYou cannot vote in polls in this forumYou cannot attach files in this forumYou can download files in this forum